Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

The 'sub' claim value is different between Access and Id tokens

Tags:

openid-connect

oauth-2.0

azure-active-directory

I am using the Resource Owner Password grant flow and requesting id token as well (the scope includes openid). I am sending the following to the endpoint:

  • client_id
  • client_secret
  • grant_type=password
  • username
  • password
  • scope

In the response I get the access token and the id token. The value for the sub claim is different between the two tokens. Why is this the case?

Update

It seems that the user id is actually an oid claim. This is described in Azure AD ID token reference.

Text describing the oid claim:

The immutable identifier for an object in the Microsoft identity system, in this case, a user account. This ID uniquely identifies the user across applications - two different applications signing in the same user will receive the same value in the oid claim. The Microsoft Graph will return this ID as the id property for a given user account. Because the oid allows multiple apps to correlate users, the profile scope is required in order to receive this claim. Note that if a single user exists in multiple tenants, the user will contain a different object ID in each tenant - they are considered different accounts, even though the user logs into each account with the same credentials.

Text describing the sub claim:

The principal about which the token asserts information, such as the user of an app. This value is immutable and cannot be reassigned or reused. The subject is a pairwise identifier - it is unique to a particular application ID. Therefore, if a single user signs into two different apps using two different client IDs, those apps will receive two different values for the subject claim. This may or may not be desired depending on your architecture and privacy requirements.

However, I am still not clear why the sub claim is different between the access and id tokens.

like image 642
nomad Avatar asked Oct 18 '18 14:10

nomad

People also ask

What is the difference between access token and ID token?

Access tokens are what the OAuth client uses to make requests to an API. The access token is meant to be read and validated by the API. An ID token contains information about what happened when a user authenticated, and is intended to be read by the OAuth client.

Is Sub claim unique?

The sub claim in the Microsoft identity platform is "pair-wise" - it is unique based on a combination of the token recipient, tenant, and user.

Does access token contain claims?

In addition, this security token contains claims data about the user as saved with the authentication server. The ID token represents as JWT. This token authenticates the user to the application.

What is sub claim in JWT?

Generally, when we talk about a claim in the context of a JWT, we are referring to the name (or key). For example, the following JSON object contains three claims ( sub , name , admin ): { "sub": "1234567890", "name": "John Doe", "admin": true }

1 Answers

The subject (sub) claim is unique for the user and the service for which the token is intended (identified by the audience (aud) claim).

Usually, the ID Token and Access Token audiences will be different: the ID Token audience is the client app where the user is signing in, and the Access Token audience is the resource server the client app will attempt to access (on behalf of the signed-in user).

like image 173
Philippe Signoret Avatar answered Oct 19 '22 21:10

Philippe Signoret
Sign in to Comment

Related questions

Restrict Login with Google OAuth2.0 to Specific Whitelisted Domain Name on Ruby
Does Application Type (OpenID Connect) correspond to Client Type (OAuth 2.0)?
Implementing OAuth2 with AccountManager, Retrofit and Dagger
Is there a way to configure Django Rest Framework to store token information in Redis rather than the Database?
Browser based OAuth / OpenID with persistent login
Linkedin login for a Cordova app
Why use Client Credentials flow?
can I implement both SAML and basic spring security within an application?
Customise oath2 token request to accept extra data
Gmail-API JAVA Client Send Email Insufficient Permission
Google Sign-In endpoint doesn't return the user's name anymore
Passing custom parameters to Identity Server 3
Spring and middleware conflict?
Self-Issued OpenID Provider vs OpenID Provider
Can I use Oauth2 Authorization Code flow for a SPA (React app), if I have a server-side proxy?
Enabling SSL on Flask + Google App Engine
OAuth2 Error during facebook authentication in Rails
oauth implicit grant vs authorization code grant?
OAuth scopes and application roles & permissions
Security for "Private" REST API

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!